Copyright 2005 David Glosser
1david.glosser@1gmail.com1 (remove all numbers from email address).
One of the more common methods used by spyware is to launch themselves upon system startup by adding themselves to the registry entries associated with startup. Another very popular methods used by spyware is to integrate itself with Internet Explorer via a Browser Helper Object (BHO).
Unfortunately, BHOs are also used by spyware and adware, to monitor and track your internet usage, or to serve up unwanted advertising and popups.
Therefore, one way to detect if spyware or adware has been installed on a computer is by the presence of an unauthorized BHO. (Other ways include new startup items and processes..)
A CLSID is supposed to be a unique identification tag that's associated with a BHO (and other objects). I think of them as file extensions--there should to be a unique file extension associated with each installed application.
Some of the popular anti-spyware and anti-adware tools keep databases of CLSIDs, BHOs, and startup items associated with adware, spyware and other types of malware. However, some of the more evil malware programs will attempt to hide their existence by morphing themselves just enough to avoid detection until the next version of the detection software comes out. This includes using random file names and random CLSIDs.
One of the most complete databases of CLSIDs, from CastleCops, does not add the CLSIDs of these BHOs to their master list, because "the number of possible names and combinations could therefore literally run into the billions" (http://castlecops.com/postt7736.html, http://computercops.biz/print-1-7736.html.
How does one identify these randomly-named CLSIDs? How do we detect an adware or spyware infection if the same spyware will have totally different CLSIDs on two different machines?
Being able to proactively monitor or scan a network for spyware and adware would aid in the fight by catching an infection as early as possible.
One of the more interesting network-based malware detection techniques uses snort to detect malware. There are a bunch of snort signatures which match traffic patterns of known spyware, adware, and malware. Many of these signatures have been conveniently aggregated into "bleeding malware" rules located on the Bleeding Snort web site.
When a partnership between Nessus and Bleeding Snort was announced, I was immediately interested, because I didn't know of any "Open Source" or "GPL" remote malware scanners.
Because, as mentioned earlier, there are so many possible combinations of CLSIDs, my preference was to actually keep a list of "approved" BHOs, scan each machine, and flag those which weren't on the "approved" list.
While I was researching (on my own time) how to program such a Nessus plugin (and not being very sucessful), I noticed references to "TieRegistry" and downloaded a script called SrvCpuMem.pl which opens a remote registry and reports the CPU and memory size for each server in a domain. (The original script is located at http://www.roth.net/perl/scripts/scripts.asp?SrvCpuMem.pl and I wish to thank Paul Popour and Roth Consulting for releasing their scripts into the public domain. )
The script was extensively rewritten to report on BHOs instead of CPU and memory information for the remote desktops. I also added a "bhoignore" file which would ignore those "approved" BHOs (who wants to see a list of Acrobat Reader BHO's on every machine?), as well as an option to only report on BHO's considered malware by the CastleCops BHOList. (Thanks to CastleCops for publishing this list and giving us permission to use it.) I also added code to flag "unknown" CLSIDs, which are not on the CastleCops list, because those would likely be malware using random CLSIDs.
The program scans the remote nodes in a network for all installed BHOs. (The host computer must be a member of the domain and have rights to read the registry of the remote machine.) The program outputs reports in simple html format as well as a tab-delimited file for import into a spreadsheet.
It has been tested on W2K server as well as an AD domain but should be considered late alpha to early beta software. It is free software and can be redistributed or modified it under the terms of version 2 of the GNU General Public License with only minor modifications (the full license can be found in the download page).
Please remember this is not a malware removal tool. The program scans remote nodes in a network for installed BHOs, which is one of the tell-tale signs of a malware infection, but doesn't remove them.